is security policy 26-sep-05 is security: the challenge presented by computers practicum:...
TRANSCRIPT
IS Security Policy
26-Sep-05
IS Security: The Challenge Presented by Computers Practicum: Recognizing Fraud – The Anonymous Caller
ScheduleWeek Topic Readings Practicum
12-Sep-05 Identifying Computer Systems Chapter 2 Evaluating IT Benefits and Risks
Jacksonville Jaguars
19-Sep-05 IS Audit Programs Chapter 3 The Job of the Staff Auditor A Day in the Life of Brent Dorsey
26-Sep-05 IS Security Chapter 4 Recognizing Fraud The Anonymous Caller
3-Oct-05 Utility Computing and IS Service Organizations
Chapter 5 Evaluating a Prospective Audit Client
Ocean Manufacturing
10-Oct-05 Physical Security Chapter 6 Inherent Risk and Control Risk
Comptronix Corporation
17-Oct-05 Logical Security Chapter 7 & 8 Evaluating the Internal Control Environment
Easy Clean
24-Oct-05 IS Operations Chapter 9 Fraud Risk and the Internal Control Environment
Cendant Corporation
31-Oct-05 Controls Assessment Chapter 10 IT-based vs. Manual Accounting Systems
St James Clothiers
7-Nov-05 Encryption and Cryptography Chapter 11 Materiality / Tolerable Misstatement
Dell Computer
14-Nov-05 Computer Forensics Chapter 12 Analytical Procedures as Substantive Tests
Burlington Bees
21-Nov-05 New Challenges from the Internet: Privacy, Piracy, Viruses and so forth
Chapter 13 Information Systems and Audit Evidence
Henrico Retail
28-Nov-05 Auditing and Future Technologies Chapter 16 Flowcharting Transaction Cycles
Southeast Shoe Distributor
What is a Security Policy?
A security policy establishes what must be done to protect
information stored on computers
A well-written policy contains sufficient definition of “what” to do so that the “how” can be identified and measured or
evaluated Policy is the “Formal” part of a strategy
What is Strategy’?Ou tcom es
P rocesses
P r o f it- m ax im iz in g
E m er g en tD elib er a te
P lu r a l
C la ssica lE v o lu tio n a ry
S ystem ic P ro cessu a l
1970 s
1980 s
1 9 9 0 s
C lassica l M ilitary S tra tegy
Outcomes and ProcessesDiffering perspectives on Strategy
Ou
tcomes
P r o c e s s e s
P ro f it-m a xim izing
P lu ra listic
D elib era te E m erg en t
CLASSICAL EVOLUTIONARY
SY STEM IC PROCESSUAL
Classical Perspective on StrategyInside the Firm (Operations)
Env ironmenta lCompetitiv e
Interna l Financ ia lIn terna l
Non- f inanc ia l
Prof itab ilityEf f ic ienc y
Grow thSurv iv a l
QuantityQuality
Cos tTime
Manpow erMoney
Mac hinesMethodsMater ia ls
PlanOrganiz eA c tuateContro l
I n fo rm a t io n I n pu ts O u tpu ts O bje ct iv e sM a n a g e r A ct io n
In form ation System
Inform ation System s
Inf ormation Sy s tem
Inform ation System
Strategy Policy
Strategy defines the way that Top Management achieves corporate objectives
Policy is a written set of procedures, guidelines and rules Designed to accomplish a subset of strategic
tasks By a particular subgroup of employees
Effective security policy
An effective security policy also protects people. Anyone who makes decisions or takes action in a
situation where information is a risk incurs personal risk as well.
A security policy allows people to take necessary actions without fear of reprisal.
Security policy compels the safeguarding of information, while it eliminates, or at least reduces, personal liability for
employees.
Effective information security policy
Information security policy defines the organization’s attitude to information, and announces internally and externally that information is
an asset Which is to be protected from unauthorized access,
modification, disclosure, and destruction
Effective information security policies Will turn staff into participants in the company’s
security The process of developing these policies will help to
define a company’s information assets
Why Do You Need Security Policy?
A security policy should Protect people and information Set the rules for expected behavior by users, system
administrators, management, and security personnel Authorize security personnel to monitor, probe, and
investigate Define and authorize the consequences of violation
Who Will Use Your Policies? Count Your Audiences Your audience is of course all your company employees
This group can be divided into sub-categories: Management Technical Custodians End-Users
All users will fall into at least one category (end-user) and some will fall into two or even all three
The audience for the policy will determine what is included in each policy document.
W h at?
How?
When?
Where?
Who
?
W h y ?
Policies will Answer Questions
Rudyard Kipling’s ‘six honest serving men’ What, who, when, where, how & why?
What is the problem? Who (which individual in the case) is responsible for
solving the problem and making a decision? Where is the money? (The value generated by the
solution) When does the problem need to be solved? How will you measure success? Why did you have this problem, and what will you do to
prevent it in the future?
The “Why”
You may not always want to include a description of why something is necessary in a policy But if your reader is an end-user,
it may be helpful to incorporate a description of why a particular security control is necessary
because this will not only aid their understanding, but will also make them more likely to comply with the policy.
Establishing the Company’s Risk Profile(It’s Surprisingly Similar to the Auditor’s Risk Assessment Database)
Asset (Ex 2.1) Risk Assessment (Ex. 2.2 with improvements)
Primary OS Owner
Application
Asset Value ($000,000 to Owner)*
Transaction Flow Description
Total Annual Transaction Value Flow managed by Asset($000,000)*
Risk Description
Probability of Occurrence (# per Year)
Cost of single occurrence ($)
Expected Loss
Win XPReceiving Dock A/P 0.002
RM Received from Vendor 23 Theft 100 100 10000
Win XPReceiving Dock A/P 0.002
RM Received from Vendor 23
Obsolescence and spoilage 35 350 12250
Etc Etc Etc Etc Etc Etc Etc Etc Etc Etc
Etc Etc Etc Etc Etc Etc Etc Etc Etc Etc
Etc Etc Etc Etc Etc Etc Etc Etc Etc Etc
*Whether you list depends on Audit Materiality
Why are auditors interested in IS Security Policy?
E x ter n a l R ea lW o r ld E n tit ies
an d E v en ts th a tC r ea te an d
D es tr o y Valu e
Au d it R ep o r t /O p in io n
J o u r n a l E n tr ies
'O w n e d ' A s s e t sa n d Lia b ilit ie s
R ep o r ts :S ta tis t ic s
I n te r n a lO p er a tio n so f th e F ir m
Ac c o u n tin gS y s tem s
Au d itP r o g r am
T r an s ac tio n s
T ra n sa c tio n s
The P hys i c al W o r l d
The P ar al l e l (L o g i c al )W o r l d o f Ac c o unt i ng
L ed g er s :D atab as es
Audi t i ng
C o r p o r a te L aw
Su b
stan
tiv e
Te s
ts
Te st s o f T
ran sa c ti o n s
Attes ta tion
A n a ly tic a l T ests
Practicum: Recognizing Fraud
The Anonymous Caller
Recognizing It's a Fraud and Evaluating What to Do
How to Write An IS Security Policy
The Three Elements of Policy Implementation
Standards – Standards specify the use of specific technologies in a uniform way. The example the book gives is the standardization of operating procedures
Guidelines – Similar to standards but are recommended actions
Procedures – These are the detailed steps that must be performed for any tasks.
Steps to Creation of IS Security PolicyPolicy Development Lifecycle
1. Senior management buy-in2. Determine a compliance grace period 3. Determine resource involvement . 4. Review existing policy5. Determine research materials (Internet, SANS, white papers, books…)6. Interview parties {Responsible, Accountable, Controlling} assets
1. Define your objectives 2. Control the interview 3. Sum up and confirm
4. Post-interview review
7. Review with additional stakeholders 8. Ensure policy is reflected in “awareness” strategies 9. Review and update 10. Gap Analysis11. Develop communication strategy12. Publish
What’s in a Policy Document
Governing Policy
Should cover Address information security policy at a general level define significant concepts describe why they are important, and detail what your company’s stand is on them
Governing policy will be read by managers and by technical custodians
Level of detail: governing policy should address the “what” in terms of security policy.
Governing Policy Outlinemight typically include
1. Authentication 2. Access Control 3. Authorization 4. Auditing 5. Cryptography 6. System and Network Controls 7. Business Continuity/Disaster Recovery 8. Compliance Measurement
Technical Policies
Used by technical custodians as they carry out their security responsibilities for the system they work with.
Are more detailed than the governing policy and will be system or issue specific, e.g., AS-400 or physical security.
Technical Policy Outline might typically include
1. Authentication 2. Authorization 3. Auditing 4. Network Services 5. Physical Security 6. Operating System 7. Business Continuity/Disaster Recovery 8. Compliance Measurement
User Policies Cover IS security policy that end-users should ever have to know
about, comply with, and implement. Most of these will address the management of
transaction flows and databases associated with applications
Some of these policy statements may overlap with the technical policy
Grouping all end-user policy together means that users will only have to go to one place and read one document in order to learn everything they need to do to ensure compliance with company security
User Policy Outline might typically include 1. User Access 2. User Identification and Accountability 3. Passwords 4. Software 5. System Configuration and Settings 6. Physical 7. Business Continuity Planning 8. Data Classification 9. Encryption 10. Remote Access 11. Wireless Devices/PDAs 12. Email 13. Instant Messaging 14. Web Conferencing 15. Voice Communications 16. Imaging/Output
Special Topics
New IS Security Threats that have arisen or grown in
importance over the Last Decade
Social Engineering
Tricking firm personnel into Revealing passwords Relinquishing control of sensitive or valuable information Allowing entry to intruders Or other activity destructive or detrimental to the firm
Only ‘Awareness’ programs can control for social engineering
Recent News: Email Fraud and HSBC
Policy on Information Sharing Identify Assets, Threats, and Countermeasures
Information which needs to be protected: Information created by, intended solely for, or of sole possession of a single user. Information considered personal or private to a single user. Information relating to employee health or social security number, Non disclosure
Agreement protected information, publicly identifiable research subject or customer data, classified information, and information protected by the greater organization’s program policy.
To help determine which protective countermeasures will be employed, the threats to the protected information need to be determined.
Breach of user confidentiality or privacy due to unauthorized access of protected information.
Breach of information integrity, ownership, or accountability due to unauthorized modification of protected information.
Breach of information availability due to unauthorized deletion, movement, or other suppression of protected information.
The focus of the information sharing policy is to mitigate the threat from other users within the organizational unit.
Related technical policies such as policy for router configuration, firewall configuration, or anti-virus protection must also be designed to help mitigate those threats.
Managing Internet Use Big Brother or Due Diligence?
Internet access has become an established business tool, taken for granted along with email, telephone and facsimile
Like these other media, giving staff access to the Internet has risks
will they spend all day downloading porn or swapping chat messages with their friends?
Will they infect the network with viruses or publish company secrets?
Responsibility Accounting Each bubble is associated with a person or entity
that is responsible for that process The same individuals with:
Managerial Control Accountability Responsibility for the process
Should all be responsible for the same bubble
Example (next slide) of Traditional Flowchart Often, traditional accounting flowcharts place responsibility
centers across the top of the chart, and sequence of processes from top (first) to bottom (last)
Example of an Internet Risk Assessment Matrix
Threat Vulnerability Impact Risk Mitigati on
(High, Med, Low) (High, Med, Low) (High, Med, Low) (1-27)
Excessive Internet Inadequate Wasted time (M) 18 Acceptable Use Policy.
Use (H) reporting of use Usage monitoring and
(H) reporting
Excessive Internet Connection not Lack of 27 Require all connections to be
Use (H) authenticated (H) accountability (H) authenticated
Inappropriate Staff able to Can be sued for 8 Acceptable Use Policy.
Internet Use (M) access such sites hostile workplace Implement blocking capability.
(M) (M) Disciplinary Process.
Unauthorised Staff able to Local PC 2 Policy
software (M) install software destabilised (L) Lock Down PC
(L) Audit
Unauthorised Non-compliance Sued by vendor 12 Policy
software (M) with li censes (M) (H) Lock Down PC
Audit
Approved purchase route
Unauthorised Virus/Trojan Loss or disclosure 6 Policy
software (M) introduced (L) of data (H) Lock Down PC
Anti-virus software
Users don’t spea k System messages Policy not 8 Translate Policy
English (M) in English (M) followed because Login banners in local
not understood language
(M) Error pages in local language
Excessive non-business related Internet use Risk both in terms of lost productivity and in competition for
infrastructure resources for legitimate business use
Surveys have estimated the time spent on non-business browsing by US and UK workers to average 30 to 60 minutes a day.
Lost productivity of a pharmaceutical industry worker who spends one hour a day on non-business use as $43,000 a year (est. Surfcontrol, Inc.)
News, chat and email represent the greatest problems
Where Internet Use Occurs
Unauthorized Software
Employees with Internet access are able to download software.
This could be commercial software or shareware that is not part of the standard desktop, but could also be Trojans and viruses.
There is also the risk of non-compliance with licensing terms, for example commercial use of a product that is only free for personal use (those these problems are decreasing)
The impact of unauthorised software will vary depending on the sensitivity of the system on which it is installed
Installation of unauthorised software on strictly controlled PCs that are part of formally defined and validated systems compromises the entire system.
Policy implementation alternatives Authentication Having the client authenticate with the Internet gateway ensures that usage is assigned to
individual user IDs. It also provides the opportunity to display an acceptable use banner. Logging Usage logs may be created by firewall and proxy servers. These will contain User ID, Client IP,
URL requested and time stamp. Logs should be regularly reviewed to detect inappropriate use. URL Blocking Given the low cost of blocking software, typically $10 a seat, it would be difficult for a company to
defend a hostile workplace action unless it had implemented blocking. Reporting Usage reporting should be automated using the capabilities of the blocking software, with
reporting tools such as WebTrends or with custom scripts. Care should be taken when reporting individuals’ usage as this risks infringing their privacy.
Investigation Of Inappropriate Use IT Security should avoid becoming the moral guardians of the company. Inappropriate use is
primarily a line management issue so any investigation should be managed by Human Resources departments, with IT security staff providing technical assistance. Policy should describe an escalation process by which incidents can be handed off from IT to HR and on to corporate security or even the police if necessary.
Data Retention Companies should define a process to archive or dispose of log files. HR should retain any data
that has been used as part of a disciplinary process, with other records relating to the case.
There is little legal foundation in the US or Asia to protect individuals’ privacy
Since the employer owns the computer network and the terminals, he or she is free to use them to monitor employees
The main requirement of the Electronic Communications Privacy Act is that employees must give their consent to monitoring and employers notify staff of their monitoring policy on hiring and annually thereafter.
"If an employer electronically monitors an employee without giving the required notice, an employee may sue for civil damages. Compensatory damages are capped at $5000, and total damages are capped at $20,000 . In a case where many employees are affected, per incident damages are capped at $500,000,"
Scant Privacy Protection Conversely, there is a requirement on employers to
take steps to protect their staff from a hostile workplace.
"[The Supreme Court requires that] companies must take reasonable steps to prevent as well as quickly correct any hostile environment or sexual harassment behaviors as they occur. It can b e interpreted that if there are reasonable technologies to able to prevent this from ever happening, companies must take those steps."
The conclusion is that US law requires companies to implement processes, such as monitoring and blocking, to protect their staff and staff should have no expectation of privacy providing they have been informed of the monitoring.